public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Rebasing OpenSSL to 3.2.2
Date: Tue, 09 Jun 2026 12:45:21 GMT [thread overview]
Message-ID: <178100912134.1.9144499299873974688.rpms-openssl-892d8e1abb3c@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 892d8e1abb3cd458aae76570c04eb8ae4cf49873
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2024-06-06T10:40:23+02:00
Stats : +934/-1214 in 9 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/892d8e1abb3cd458aae76570c04eb8ae4cf49873?branch=rebase_40beta
Log:
Rebasing OpenSSL to 3.2.2
---
diff --git a/.gitignore b/.gitignore
index 91919c1..31ec31d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,3 +61,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.1.1.tar.gz
/openssl-3.1.4.tar.gz
/openssl-3.2.1.tar.gz
+/openssl-3.2.2.tar.gz
diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch
index 4e11f02..0bf3b2d 100644
--- a/0033-FIPS-embed-hmac.patch
+++ b/0033-FIPS-embed-hmac.patch
@@ -383,81 +383,14 @@ index 18d9f3d204..71780d8caa 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -17,7 +17,7 @@ setup("test_sslapi");
- use lib srctop_dir('Configurations');
- use lib bldtop_dir('.');
+ setup("test_sslapi");
+ }
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
-diff -up openssl-3.2.1/providers/fips/self_test.c.0033-patch-new openssl-3.2.1/providers/fips/self_test.c
---- openssl-3.2.1/providers/fips/self_test.c.0033-patch-new 2024-06-04 14:42:03.748284524 +0200
-+++ openssl-3.2.1/providers/fips/self_test.c 2024-06-04 14:47:19.589758324 +0200
-@@ -369,23 +369,12 @@ static int verify_integrity(OSSL_CORE_BI
- EVP_MAC *mac = NULL;
- EVP_MAC_CTX *ctx = NULL;
- OSSL_PARAM params[2], *p = params;
-- Dl_info info;
-- void *extra_info = NULL;
-- struct link_map *lm = NULL;
-- unsigned long paddr;
-- unsigned long off = 0;
-
- if (!integrity_self_test(ev, libctx))
- goto err;
-
- OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
-
-- if (!dladdr1 ((const void *)fips_hmac_container,
-- &info, &extra_info, RTLD_DL_LINKMAP))
-- goto err;
-- lm = extra_info;
-- paddr = (unsigned long)fips_hmac_container - lm->l_addr;
--
- mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
- if (mac == NULL)
- goto err;
-@@ -399,40 +388,12 @@ static int verify_integrity(OSSL_CORE_BI
- if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
- goto err;
-
-- while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
-- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
-- if (status != 1)
-- break;
-- if (!EVP_MAC_update(ctx, buf, bytes_read))
-- goto err;
-- off += bytes_read;
-- }
--
-- if (off + INTEGRITY_BUF_SIZE > paddr) {
-- int delta = paddr - off;
-- status = read_ex_cb(bio, buf, delta, &bytes_read);
-- if (status != 1)
-- goto err;
-- if (!EVP_MAC_update(ctx, buf, bytes_read))
-- goto err;
-- off += bytes_read;
--
-- status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
-- memset(buf, 0, HMAC_LEN);
-- if (status != 1)
-- goto err;
-- if (!EVP_MAC_update(ctx, buf, bytes_read))
-- goto err;
-- off += bytes_read;
-- }
--
-- while (bytes_read > 0) {
-- status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
-+ while (1) {
-+ status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
- if (status != 1)
- break;
- if (!EVP_MAC_update(ctx, buf, bytes_read))
- goto err;
-- off += bytes_read;
- }
-
- if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
+--
+2.44.0
+
diff --git a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch b/0078-Add-FIPS-indicator-parameter-to-HKDF.patch
deleted file mode 100644
index 3867e06..0000000
--- a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch
+++ /dev/null
@@ -1,874 +0,0 @@
-From c503fa302490f76f191af6259e4199572280298a Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 32/49] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
-
-Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
-Patch-id: 78
-Patch-status: |
- # # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
-From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
----
- include/crypto/evp.h | 7 ++
- include/openssl/kdf.h | 4 +
- providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
- providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
- providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
- providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
- providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
- providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
- util/perl/OpenSSL/paramnames.pm | 1 +
- 9 files changed, 487 insertions(+), 22 deletions(-)
-
-diff --git a/include/crypto/evp.h b/include/crypto/evp.h
-index 34cea2f9f4..1e4895959b 100644
---- a/include/crypto/evp.h
-+++ b/include/crypto/evp.h
-@@ -228,6 +228,13 @@ struct evp_mac_st {
- OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
- };
-
-+#ifdef FIPS_MODULE
-+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
-+ * Additional Keys from a Cryptographic Key, "[t]he length of the
-+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
-+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
-+#endif
-+
- struct evp_kdf_st {
- OSSL_PROVIDER *prov;
- int name_id;
-diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
-index 0983230a48..86171635ea 100644
---- a/include/openssl/kdf.h
-+++ b/include/openssl/kdf.h
-@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
- # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
- # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
-
-+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
-+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
-+
- #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
- #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
- #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
-diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
-index 78425fbb42..0ff3433074 100644
---- a/providers/implementations/kdfs/hkdf.c
-+++ b/providers/implementations/kdfs/hkdf.c
-@@ -44,6 +44,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
- static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
- static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
- static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
-+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
- static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
- static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
- static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
-@@ -87,6 +88,10 @@ typedef struct {
- size_t data_len;
- unsigned char *info;
- size_t info_len;
-+ int is_tls13;
-+#ifdef FIPS_MODULE
-+ int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KDF_HKDF;
-
- static void *kdf_hkdf_new(void *provctx)
-@@ -200,6 +205,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
- return 0;
- }
-
-+#ifdef FIPS_MODULE
-+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
- switch (ctx->mode) {
- case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
- default:
-@@ -308,15 +318,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
- KDF_HKDF *ctx = (KDF_HKDF *)vctx;
- OSSL_PARAM *p;
-+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
-
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
- size_t sz = kdf_hkdf_size(ctx);
-
-- if (sz == 0)
-+ any_valid = 1;
-+
-+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
-+ return 0;
-+ }
-+
-+#ifdef FIPS_MODULE
-+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
-+ != NULL) {
-+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
-+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
-+
-+ any_valid = 1;
-+
-+ /* According to NIST Special Publication 800-131Ar2, Section 8:
-+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+ * the key-derivation key [i.e., the input key] shall be at least 112
-+ * bits". */
-+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Verification Program, Section D.B and NIST Special Publication
-+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+ * strength < 112 bits is legacy use only, so all derived keys should
-+ * be longer than that. If a derived key has ever been shorter than
-+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+ * should also set the returned FIPS indicator to unapproved. */
-+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ if (ctx->is_tls13) {
-+ if (md != NULL
-+ && !EVP_MD_is_a(md, "SHA2-256")
-+ && !EVP_MD_is_a(md, "SHA2-384")) {
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
-+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
-+ * key derivation function documented in Section 7.1 of RFC
-+ * 8446. This is considered an approved CVL because the
-+ * underlying functions performed within the TLS 1.3 KDF map to
-+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
-+ * Option #3), SP 800-56Crev2, and SP 800-108."
-+ *
-+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+ }
-+ } else {
-+ if (md != NULL
-+ && (EVP_MD_is_a(md, "SHAKE-128") ||
-+ EVP_MD_is_a(md, "SHAKE-256"))) {
-+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
-+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
-+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
-+ * extendable-output functions may only be used as the
-+ * standalone algorithms." */
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+ }
-+ }
-+ if (!OSSL_PARAM_set_int(p, fips_indicator))
- return 0;
-- return OSSL_PARAM_set_size_t(p, sz);
- }
-- return -2;
-+#endif /* defined(FIPS_MODULE) */
-+
-+ if (!any_valid)
-+ return -2;
-+
-+ return 1;
- }
-
- static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -324,6 +397,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
- {
- static const OSSL_PARAM known_gettable_ctx_params[] = {
- OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
-+#endif /* defined(FIPS_MODULE) */
- OSSL_PARAM_END
- };
- return known_gettable_ctx_params;
-@@ -654,6 +730,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
- return ret;
- }
-
-+static void *kdf_tls1_3_new(void *provctx)
-+{
-+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
-+
-+ if (hkdf != NULL)
-+ hkdf->is_tls13 = 1;
-+
-+ return hkdf;
-+}
-+
-+
- static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
- const OSSL_PARAM params[])
- {
-@@ -669,6 +756,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
- return 0;
- }
-
-+#ifdef FIPS_MODULE
-+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
- switch (ctx->mode) {
- default:
- return 0;
-@@ -746,7 +838,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
- }
-
- const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
-- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
-+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
- { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
- { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
- { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
-diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
-index e6855d5732..ebd9d648a6 100644
---- a/providers/implementations/kdfs/kbkdf.c
-+++ b/providers/implementations/kdfs/kbkdf.c
-@@ -60,6 +60,9 @@ typedef struct {
- kbkdf_mode mode;
- EVP_MAC_CTX *ctx_init;
-
-+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
-+ PROV_DIGEST digest;
-+
- /* Names are lowercased versions of those found in SP800-108. */
- int r;
- unsigned char *ki;
-@@ -73,6 +76,9 @@ typedef struct {
- int use_l;
- int is_kmac;
- int use_separator;
-+#ifdef FIPS_MODULE
-+ int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KBKDF;
-
- /* Definitions needed for typechecking. */
-@@ -142,6 +148,7 @@ static void kbkdf_reset(void *vctx)
- void *provctx = ctx->provctx;
-
- EVP_MAC_CTX_free(ctx->ctx_init);
-+ ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_clear_free(ctx->context, ctx->context_len);
- OPENSSL_clear_free(ctx->label, ctx->label_len);
- OPENSSL_clear_free(ctx->ki, ctx->ki_len);
-@@ -307,6 +314,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
- goto done;
- }
-
-+#ifdef FIPS_MODULE
-+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
- h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
- if (h == 0)
- goto done;
-@@ -369,6 +381,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
- }
- }
-
-+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
-+ return 0;
-+
- p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
- if (p != NULL
- && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
-@@ -450,20 +465,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
- static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
- OSSL_PARAM *p;
-+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
-
- p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
-- if (p == NULL)
-+ if (p != NULL) {
-+ any_valid = 1;
-+
-+ /* KBKDF can produce results as large as you like. */
-+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
-+ return 0;
-+ }
-+
-+#ifdef FIPS_MODULE
-+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
-+ if (p != NULL) {
-+ KBKDF *ctx = (KBKDF *)vctx;
-+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
-+
-+ any_valid = 1;
-+
-+ /* According to NIST Special Publication 800-131Ar2, Section 8:
-+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+ * the key-derivation key [i.e., the input key] shall be at least 112
-+ * bits". */
-+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Verification Program, Section D.B and NIST Special Publication
-+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+ * strength < 112 bits is legacy use only, so all derived keys should
-+ * be longer than that. If a derived key has ever been shorter than
-+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+ * should also set the returned FIPS indicator to unapproved. */
-+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
-+ * extendable-output functions may only be used as the standalone
-+ * algorithms." Note that the digest is only used when the MAC
-+ * algorithm is HMAC. */
-+ if (ctx->ctx_init != NULL
-+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
-+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
-+ if (md != NULL
-+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+ }
-+ }
-+
-+ if (!OSSL_PARAM_set_int(p, fips_indicator))
-+ return 0;
-+ }
-+#endif
-+
-+ if (!any_valid)
- return -2;
-
-- /* KBKDF can produce results as large as you like. */
-- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
-+ return 1;
- }
-
- static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
- ossl_unused void *provctx)
- {
-- static const OSSL_PARAM known_gettable_ctx_params[] =
-- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
-+ static const OSSL_PARAM known_gettable_ctx_params[] = {
-+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
-+#endif /* defined(FIPS_MODULE) */
-+ OSSL_PARAM_END
-+ };
- return known_gettable_ctx_params;
- }
-
-diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
-index 90986bc762..27cd7f8bdf 100644
---- a/providers/implementations/kdfs/sshkdf.c
-+++ b/providers/implementations/kdfs/sshkdf.c
-@@ -49,6 +49,9 @@ typedef struct {
- char type; /* X */
- unsigned char *session_id;
- size_t session_id_len;
-+#ifdef FIPS_MODULE
-+ int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KDF_SSHKDF;
-
- static void *kdf_sshkdf_new(void *provctx)
-@@ -149,6 +152,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
- ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
- return 0;
- }
-+
-+#ifdef FIPS_MODULE
-+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
- return SSHKDF(md, ctx->key, ctx->key_len,
- ctx->xcghash, ctx->xcghash_len,
- ctx->session_id, ctx->session_id_len,
-@@ -217,10 +226,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
- static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
- OSSL_PARAM *p;
-+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
-
-- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
-- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
-- return -2;
-+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+ any_valid = 1;
-+
-+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
-+ return 0;
-+ }
-+
-+#ifdef FIPS_MODULE
-+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
-+ if (p != NULL) {
-+ KDF_SSHKDF *ctx = vctx;
-+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
-+
-+ any_valid = 1;
-+
-+ /* According to NIST Special Publication 800-131Ar2, Section 8:
-+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+ * the key-derivation key [i.e., the input key] shall be at least 112
-+ * bits". */
-+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Verification Program, Section D.B and NIST Special Publication
-+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+ * strength < 112 bits is legacy use only, so all derived keys should
-+ * be longer than that. If a derived key has ever been shorter than
-+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+ * should also set the returned FIPS indicator to unapproved. */
-+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
-+ * extendable-output functions may only be used as the standalone
-+ * algorithms."
-+ *
-+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
-+ * function used in SSHKDF "is one of the hash functions specified in
-+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
-+ * */
-+ if (ctx->digest.md != NULL
-+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
-+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
-+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
-+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
-+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+ }
-+
-+ if (!OSSL_PARAM_set_int(p, fips_indicator))
-+ return 0;
-+ }
-+#endif
-+
-+ if (!any_valid)
-+ return -2;
-+
-+ return 1;
- }
-
- static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -228,6 +294,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
- {
- static const OSSL_PARAM known_gettable_ctx_params[] = {
- OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
-+#endif /* defined(FIPS_MODULE) */
- OSSL_PARAM_END
- };
- return known_gettable_ctx_params;
-diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
-index db750a4f23..175fd30327 100644
---- a/providers/implementations/kdfs/sskdf.c
-+++ b/providers/implementations/kdfs/sskdf.c
-@@ -64,6 +64,10 @@ typedef struct {
- size_t salt_len;
- size_t out_len; /* optional KMAC parameter */
- int is_kmac;
-+ int is_x963kdf;
-+#ifdef FIPS_MODULE
-+ int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KDF_SSKDF;
-
- #define SSKDF_MAX_INLEN (1<<30)
-@@ -74,6 +78,7 @@ typedef struct {
- static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
-
- static OSSL_FUNC_kdf_newctx_fn sskdf_new;
-+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
- static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
- static OSSL_FUNC_kdf_freectx_fn sskdf_free;
- static OSSL_FUNC_kdf_reset_fn sskdf_reset;
-@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx)
- return ctx;
- }
-
-+static void *x963kdf_new(void *provctx)
-+{
-+ KDF_SSKDF *ctx = sskdf_new(provctx);
-+
-+ if (ctx)
-+ ctx->is_x963kdf = 1;
-+
-+ return ctx;
-+}
-+
- static void sskdf_reset(void *vctx)
- {
- KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
-@@ -382,6 +397,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
- }
- md = ossl_prov_digest_md(&ctx->digest);
-
-+#ifdef FIPS_MODULE
-+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
- if (ctx->macctx != NULL) {
- /* H(x) = KMAC or H(x) = HMAC */
- int ret;
-@@ -461,6 +481,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
- return 0;
- }
-
-+#ifdef FIPS_MODULE
-+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
- return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
- ctx->info, ctx->info_len, 1, key, keylen);
- }
-@@ -537,10 +562,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
- KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
- OSSL_PARAM *p;
-+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
-+
-+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+ any_valid = 1;
-+
-+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
-+ return 0;
-+ }
-
-- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
-- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
-- return -2;
-+#ifdef FIPS_MODULE
-+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
-+ if (p != NULL) {
-+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
-+
-+ any_valid = 1;
-+
-+ /* According to NIST Special Publication 800-131Ar2, Section 8:
-+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+ * the key-derivation key [i.e., the input key] shall be at least 112
-+ * bits". */
-+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Verification Program, Section D.B and NIST Special Publication
-+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+ * strength < 112 bits is legacy use only, so all derived keys should
-+ * be longer than that. If a derived key has ever been shorter than
-+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+ * should also set the returned FIPS indicator to unapproved. */
-+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
-+ * extendable-output functions may only be used as the standalone
-+ * algorithms." */
-+ if (ctx->macctx == NULL
-+ || (ctx->macctx != NULL &&
-+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
-+ if (ctx->digest.md != NULL
-+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
-+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+ }
-+
-+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
-+ * should only be used for 80-bit key agreement, but FIPS 140-3
-+ * requires a security strength of 112 bits, so SHA-1 cannot be
-+ * used with X9.63. See the discussion in
-+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
-+ */
-+ if (ctx->is_x963kdf
-+ && ctx->digest.md != NULL
-+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+ }
-+ }
-+
-+ if (!OSSL_PARAM_set_int(p, fips_indicator))
-+ return 0;
-+ }
-+#endif
-+
-+ if (!any_valid)
-+ return -2;
-+
-+ return 1;
- }
-
- static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -548,6 +637,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
- {
- static const OSSL_PARAM known_gettable_ctx_params[] = {
- OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
-+#endif /* defined(FIPS_MODULE) */
- OSSL_PARAM_END
- };
- return known_gettable_ctx_params;
-@@ -569,7 +661,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
- };
-
- const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
-- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
-+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
- { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
- { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
- { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
-diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
-index ff305579c3..e6f41020a4 100644
---- a/providers/implementations/kdfs/tls1_prf.c
-+++ b/providers/implementations/kdfs/tls1_prf.c
-@@ -104,6 +104,13 @@ typedef struct {
- /* Buffer of concatenated seed data */
- unsigned char seed[TLS1_PRF_MAXBUF];
- size_t seedlen;
-+
-+ /* MAC digest algorithm; used to compute FIPS indicator */
-+ PROV_DIGEST digest;
-+
-+#ifdef FIPS_MODULE
-+ int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } TLS1_PRF;
-
- static void *kdf_tls1_prf_new(void *provctx)
-@@ -137,6 +144,7 @@ static void kdf_tls1_prf_reset(void *vctx)
- EVP_MAC_CTX_free(ctx->P_sha1);
- OPENSSL_clear_free(ctx->sec, ctx->seclen);
- OPENSSL_cleanse(ctx->seed, ctx->seedlen);
-+ ossl_prov_digest_reset(&ctx->digest);
- memset(ctx, 0, sizeof(*ctx));
- ctx->provctx = provctx;
- }
-@@ -191,6 +199,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
- return 0;
- }
-+#ifdef FIPS_MODULE
-+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-
- /*
- * The seed buffer is prepended with a label.
-@@ -240,6 +252,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
- }
- }
-
-+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
-+ return 0;
-+
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
- OPENSSL_clear_free(ctx->sec, ctx->seclen);
- ctx->sec = NULL;
-@@ -281,10 +296,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
- static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
- OSSL_PARAM *p;
-+#ifdef FIPS_MODULE
-+ TLS1_PRF *ctx = vctx;
-+#endif /* defined(FIPS_MODULE) */
-+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
-+
-+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+ any_valid = 1;
-+
-+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
-+ return 0;
-+ }
-+
-+#ifdef FIPS_MODULE
-+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
-+ if (p != NULL) {
-+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
-+
-+ any_valid = 1;
-+
-+ /* According to NIST Special Publication 800-131Ar2, Section 8:
-+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+ * the key-derivation key [i.e., the input key] shall be at least 112
-+ * bits". */
-+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Verification Program, Section D.B and NIST Special Publication
-+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+ * strength < 112 bits is legacy use only, so all derived keys should
-+ * be longer than that. If a derived key has ever been shorter than
-+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+ * should also set the returned FIPS indicator to unapproved. */
-+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
-+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
-+ if (ctx->digest.md != NULL
-+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
-+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
-+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+ }
-+
-+ if (!OSSL_PARAM_set_int(p, fips_indicator))
-+ return 0;
-+ }
-+#endif
-
-- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
-- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
-- return -2;
-+ if (!any_valid)
-+ return -2;
-+
-+ return 1;
- }
-
- static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
-@@ -292,6 +357,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
- {
- static const OSSL_PARAM known_gettable_ctx_params[] = {
- OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
-+#endif /* defined(FIPS_MODULE) */
- OSSL_PARAM_END
- };
- return known_gettable_ctx_params;
-diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
-index 19b54493ef..77a6210184 100644
---- a/providers/implementations/kdfs/x942kdf.c
-+++ b/providers/implementations/kdfs/x942kdf.c
-@@ -13,11 +13,13 @@
- #include <openssl/core_dispatch.h>
- #include <openssl/err.h>
- #include <openssl/evp.h>
-+#include <openssl/kdf.h>
- #include <openssl/params.h>
- #include <openssl/proverr.h>
- #include "internal/packet.h"
- #include "internal/der.h"
- #include "internal/nelem.h"
-+#include "crypto/evp.h"
- #include "prov/provider_ctx.h"
- #include "prov/providercommon.h"
- #include "prov/implementations.h"
-@@ -49,6 +51,9 @@ typedef struct {
- const unsigned char *cek_oid;
- size_t cek_oid_len;
- int use_keybits;
-+#ifdef FIPS_MODULE
-+ int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KDF_X942;
-
- /*
-@@ -495,6 +500,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
- ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
- return 0;
- }
-+#ifdef FIPS_MODULE
-+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
- ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
- der, der_len, ctr, key, keylen);
- OPENSSL_free(der);
-@@ -598,10 +607,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
- KDF_X942 *ctx = (KDF_X942 *)vctx;
- OSSL_PARAM *p;
-+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
-
-- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
-- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
-- return -2;
-+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+ any_valid = 1;
-+
-+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
-+ return 0;
-+ }
-+
-+#ifdef FIPS_MODULE
-+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
-+ if (p != NULL) {
-+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
-+
-+ any_valid = 1;
-+
-+ /* According to NIST Special Publication 800-131Ar2, Section 8:
-+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+ * the key-derivation key [i.e., the input key] shall be at least 112
-+ * bits". */
-+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Verification Program, Section D.B and NIST Special Publication
-+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+ * strength < 112 bits is legacy use only, so all derived keys should
-+ * be longer than that. If a derived key has ever been shorter than
-+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+ * should also set the returned FIPS indicator to unapproved. */
-+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+
-+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
-+ * extendable-output functions may only be used as the standalone
-+ * algorithms." */
-+ if (ctx->digest.md != NULL
-+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
-+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
-+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
-+ }
-+
-+ if (!OSSL_PARAM_set_int(p, fips_indicator))
-+ return 0;
-+ }
-+#endif
-+
-+ if (!any_valid)
-+ return -2;
-+
-+ return 1;
- }
-
- static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -609,6 +666,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
- {
- static const OSSL_PARAM known_gettable_ctx_params[] = {
- OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
-+#endif /* defined(FIPS_MODULE) */
- OSSL_PARAM_END
- };
- return known_gettable_ctx_params;
-diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
-index 70f7c50fe4..6618122417 100644
---- a/util/perl/OpenSSL/paramnames.pm
-+++ b/util/perl/OpenSSL/paramnames.pm
-@@ -183,6 +183,7 @@ my %params = (
- 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
- 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
- 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
-+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
- 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
- 'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
- 'KDF_PARAM_THREADS' => "threads", # uint32_t
---
-2.44.0
-
diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch
new file mode 100644
index 0000000..17ff63e
--- /dev/null
+++ b/0078-KDF-Add-FIPS-indicators.patch
@@ -0,0 +1,911 @@
+From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Thu, 11 Aug 2022 09:27:12 +0200
+Subject: KDF: Add FIPS indicators
+
+FIPS requires a number of restrictions on the parameters of the various
+key derivation functions implemented in OpenSSL. The KDFs that use
+digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
+C.C). Additionally, some application-specific KDFs have further
+restrictions defined in SP 800-135r1.
+
+Generally, all KDFs shall use a key-derivation key length of at least
+112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
+to generate and output length of less than 112 bits will also set the
+indicator to unapproved.
+
+Add explicit indicators to all KDFs usable in FIPS mode except for
+PBKDF2 (which has its specific FIPS limits already implemented). The
+indicator can be queried using EVP_KDF_CTX_get_params() after setting
+the required parameters and keys for the KDF.
+
+Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
+truncated variants -224 and -384) and SHA3 (-256 and -512, and the
+truncated versions -224 and -384), as well as SHAKE-128 and -256.
+
+The SHAKE functions are generally not allowed in KDFs. For the rest, the
+support matrix is:
+
+ KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
+==========================================================================
+KBKDF | x | x | x | x | x
+HKDF | x | x | x | x | x
+TLS1PRF | | SHA-{256,384,512} only | |
+SSHKDF | x | x | x | |
+SSKDF | x | x | x | x | x
+X9.63KDF | | x | x | x | x
+X9.42-ASN1 | x | x | x | x | x
+TLS1.3PRF | | SHA-{256,384} only | |
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+Resolves: rhbz#2160733 rhbz#2164763
+Related: rhbz#2114772 rhbz#2141695
+---
+ include/crypto/evp.h | 7 ++
+ include/openssl/kdf.h | 4 +
+ providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
+ providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
+ providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
+ providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
+ providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
+ providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
+ util/perl/OpenSSL/paramnames.pm | 1 +
+ 9 files changed, 487 insertions(+), 22 deletions(-)
+
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index e70d8e9e84..76fb990de4 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -219,6 +219,13 @@ struct evp_mac_st {
+ OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
+ };
+
++#ifdef FIPS_MODULE
++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
++ * Additional Keys from a Cryptographic Key, "[t]he length of the
++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
++#endif
++
+ struct evp_kdf_st {
+ OSSL_PROVIDER *prov;
+ int name_id;
+diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
+index 0983230a48..86171635ea 100644
+--- a/include/openssl/kdf.h
++++ b/include/openssl/kdf.h
+@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
+ # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
+ #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
+diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
+index dfa7786bde..f01e40ff5a 100644
+--- a/providers/implementations/kdfs/hkdf.c
++++ b/providers/implementations/kdfs/hkdf.c
+@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
+ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
+ static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+ static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
+ static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
+ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
+ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
+@@ -85,6 +86,10 @@ typedef struct {
+ size_t data_len;
+ unsigned char *info;
+ size_t info_len;
++ int is_tls13;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_HKDF;
+
+ static void *kdf_hkdf_new(void *provctx)
+@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ return 0;
+ }
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ switch (ctx->mode) {
+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
+ default:
+@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
+ {
+ KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ size_t sz = kdf_hkdf_size(ctx);
+
++ any_valid = 1;
+ if (sz == 0)
+ return 0;
+ return OSSL_PARAM_set_size_t(p, sz);
+ }
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
++ any_valid = 1;
+ if (ctx->info == NULL || ctx->info_len == 0) {
+ p->return_size = 0;
+ return 1;
+ }
+ return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
+ }
+- return -2;
++#ifdef FIPS_MODULE
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
++ != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ if (ctx->is_tls13) {
++ if (md != NULL
++ && !EVP_MD_is_a(md, "SHA2-256")
++ && !EVP_MD_is_a(md, "SHA2-384")) {
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
++ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
++ * key derivation function documented in Section 7.1 of RFC
++ * 8446. This is considered an approved CVL because the
++ * underlying functions performed within the TLS 1.3 KDF map to
++ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
++ * Option #3), SP 800-56Crev2, and SP 800-108."
++ *
++ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ } else {
++ if (md != NULL
++ && (EVP_MD_is_a(md, "SHAKE-128") ||
++ EVP_MD_is_a(md, "SHAKE-256"))) {
++ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
++ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
++ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the
++ * standalone algorithms." */
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ }
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif /* defined(FIPS_MODULE) */
++
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
+ return ret;
+ }
+
++static void *kdf_tls1_3_new(void *provctx)
++{
++ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
++
++ if (hkdf != NULL)
++ hkdf->is_tls13 = 1;
++
++ return hkdf;
++}
++
++
+ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+ {
+@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+ return 0;
+ }
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ switch (ctx->mode) {
+ default:
+ return 0;
+@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
+ }
+
+ const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
+- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
+ { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
+diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
+index a542f84dfa..6b6dfb94ac 100644
+--- a/providers/implementations/kdfs/kbkdf.c
++++ b/providers/implementations/kdfs/kbkdf.c
+@@ -59,6 +59,9 @@ typedef struct {
+ kbkdf_mode mode;
+ EVP_MAC_CTX *ctx_init;
+
++ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
++ PROV_DIGEST digest;
++
+ /* Names are lowercased versions of those found in SP800-108. */
+ int r;
+ unsigned char *ki;
+@@ -73,6 +76,9 @@ typedef struct {
+ int use_l;
+ int is_kmac;
+ int use_separator;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KBKDF;
+
+ /* Definitions needed for typechecking. */
+@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
+ void *provctx = ctx->provctx;
+
+ EVP_MAC_CTX_free(ctx->ctx_init);
++ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_clear_free(ctx->context, ctx->context_len);
+ OPENSSL_clear_free(ctx->label, ctx->label_len);
+ OPENSSL_clear_free(ctx->ki, ctx->ki_len);
+@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ goto done;
+ }
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
+ if (h == 0)
+ goto done;
+@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ }
+ }
+
++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
++ return 0;
++
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
+ if (p != NULL
+ && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
+@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
+ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
+- if (p == NULL)
++ if (p != NULL) {
++ any_valid = 1;
++
++ /* KBKDF can produce results as large as you like. */
++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ KBKDF *ctx = (KBKDF *)vctx;
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the standalone
++ * algorithms." Note that the digest is only used when the MAC
++ * algorithm is HMAC. */
++ if (ctx->ctx_init != NULL
++ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++ if (md != NULL
++ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
++
++ if (!any_valid)
+ return -2;
+
+- /* KBKDF can produce results as large as you like. */
+- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
++ return 1;
+ }
+
+ static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+ {
+- static const OSSL_PARAM known_gettable_ctx_params[] =
+- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
++ static const OSSL_PARAM known_gettable_ctx_params[] = {
++ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
++ OSSL_PARAM_END
++ };
+ return known_gettable_ctx_params;
+ }
+
+diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
+index c592ba72f1..4a52b38266 100644
+--- a/providers/implementations/kdfs/sshkdf.c
++++ b/providers/implementations/kdfs/sshkdf.c
+@@ -48,6 +48,9 @@ typedef struct {
+ char type; /* X */
+ unsigned char *session_id;
+ size_t session_id_len;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_SSHKDF;
+
+ static void *kdf_sshkdf_new(void *provctx)
+@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
+ return 0;
+ }
++
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ return SSHKDF(md, ctx->key, ctx->key_len,
+ ctx->xcghash, ctx->xcghash_len,
+ ctx->session_id, ctx->session_id_len,
+@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
+ static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+- return -2;
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ KDF_SSHKDF *ctx = vctx;
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the standalone
++ * algorithms."
++ *
++ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
++ * function used in SSHKDF "is one of the hash functions specified in
++ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
++ * */
++ if (ctx->digest.md != NULL
++ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
++
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
+index eb54972e1c..23865cd70f 100644
+--- a/providers/implementations/kdfs/sskdf.c
++++ b/providers/implementations/kdfs/sskdf.c
+@@ -64,6 +64,10 @@ typedef struct {
+ size_t salt_len;
+ size_t out_len; /* optional KMAC parameter */
+ int is_kmac;
++ int is_x963kdf;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_SSKDF;
+
+ #define SSKDF_MAX_INLEN (1<<30)
+@@ -73,6 +77,7 @@ typedef struct {
+ static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
+
+ static OSSL_FUNC_kdf_newctx_fn sskdf_new;
++static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
+ static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
+ static OSSL_FUNC_kdf_freectx_fn sskdf_free;
+ static OSSL_FUNC_kdf_reset_fn sskdf_reset;
+@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
+ return ctx;
+ }
+
++static void *x963kdf_new(void *provctx)
++{
++ KDF_SSKDF *ctx = sskdf_new(provctx);
++
++ if (ctx)
++ ctx->is_x963kdf = 1;
++
++ return ctx;
++}
++
+ static void sskdf_reset(void *vctx)
+ {
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ }
+ md = ossl_prov_digest_md(&ctx->digest);
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ if (ctx->macctx != NULL) {
+ /* H(x) = KMAC or H(x) = HMAC */
+ int ret;
+@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ return 0;
+ }
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
+ ctx->info, ctx->info_len, 1, key, keylen);
+ }
+@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
++ return 0;
++ }
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
+- return -2;
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the standalone
++ * algorithms." */
++ if (ctx->macctx == NULL
++ || (ctx->macctx != NULL &&
++ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
++ if (ctx->digest.md != NULL
++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++
++ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
++ * should only be used for 80-bit key agreement, but FIPS 140-3
++ * requires a security strength of 112 bits, so SHA-1 cannot be
++ * used with X9.63. See the discussion in
++ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
++ */
++ if (ctx->is_x963kdf
++ && ctx->digest.md != NULL
++ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
++
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
+ };
+
+ const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
+- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
+ { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
+diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
+index a4d64b9352..f6782a6ca2 100644
+--- a/providers/implementations/kdfs/tls1_prf.c
++++ b/providers/implementations/kdfs/tls1_prf.c
+@@ -93,6 +93,13 @@ typedef struct {
+ /* Buffer of concatenated seed data */
+ unsigned char seed[TLS1_PRF_MAXBUF];
+ size_t seedlen;
++
++ /* MAC digest algorithm; used to compute FIPS indicator */
++ PROV_DIGEST digest;
++
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } TLS1_PRF;
+
+ static void *kdf_tls1_prf_new(void *provctx)
+@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
+ EVP_MAC_CTX_free(ctx->P_sha1);
+ OPENSSL_clear_free(ctx->sec, ctx->seclen);
+ OPENSSL_cleanse(ctx->seed, ctx->seedlen);
++ ossl_prov_digest_reset(&ctx->digest);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+ }
+@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
+
+ /*
+ * The seed buffer is prepended with a label.
+@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ }
+ }
+
++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
++ return 0;
++
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
+ OPENSSL_clear_free(ctx->sec, ctx->seclen);
+ ctx->sec = NULL;
+@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
+ static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ OSSL_PARAM *p;
++#ifdef FIPS_MODULE
++ TLS1_PRF *ctx = vctx;
++#endif /* defined(FIPS_MODULE) */
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
++ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
++ if (ctx->digest.md != NULL
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+- return -2;
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
+index b1bc6f7e1b..8173fc2cc7 100644
+--- a/providers/implementations/kdfs/x942kdf.c
++++ b/providers/implementations/kdfs/x942kdf.c
+@@ -13,11 +13,13 @@
+ #include <openssl/core_dispatch.h>
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
++#include <openssl/kdf.h>
+ #include <openssl/params.h>
+ #include <openssl/proverr.h>
+ #include "internal/packet.h"
+ #include "internal/der.h"
+ #include "internal/nelem.h"
++#include "crypto/evp.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/providercommon.h"
+ #include "prov/implementations.h"
+@@ -47,6 +50,9 @@ typedef struct {
+ const unsigned char *cek_oid;
+ size_t cek_oid_len;
+ int use_keybits;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_X942;
+
+ /*
+@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
+ return 0;
+ }
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
+ ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
+ der, der_len, ctr, key, keylen);
+ OPENSSL_free(der);
+@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ KDF_X942 *ctx = (KDF_X942 *)vctx;
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
+- return -2;
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the standalone
++ * algorithms." */
++ if (ctx->digest.md != NULL
++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
++
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
+index 70f7c50fe4..6618122417 100644
+--- a/util/perl/OpenSSL/paramnames.pm
++++ b/util/perl/OpenSSL/paramnames.pm
+@@ -183,6 +183,7 @@ my %params = (
+ 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
+ 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
+ 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
++ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
+ 'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
+ 'KDF_PARAM_THREADS' => "threads", # uint32_t
+--
+2.39.2
+
diff --git a/0117-ignore-unknown-sigalgorithms-groups.patch b/0117-ignore-unknown-sigalgorithms-groups.patch
index 3c52277..dd40e11 100644
--- a/0117-ignore-unknown-sigalgorithms-groups.patch
+++ b/0117-ignore-unknown-sigalgorithms-groups.patch
@@ -111,7 +111,7 @@ index 056aae3863..fe680449c5 100644
+ }
if (garg->gidcnt == garg->gidmax) {
uint16_t *tmp =
- OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT);
+ OPENSSL_realloc(garg->gid_arr,
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
gid = tls1_group_name2id(garg->ctx, etmp);
@@ -161,18 +161,18 @@ index 056aae3863..fe680449c5 100644
return 0;
if (len > (int)(sizeof(etmp) - 1))
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
- break;
+ break;
+ }
}
+- if (i == OSSL_NELEM(sigalg_lookup_tbl))
+- return 0;
++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
++ /* Ignore unknown algorithms if ignore_unknown */
++ return ignore_unknown;
++ }
}
-- if (i == OSSL_NELEM(sigalg_lookup_tbl))
-- return 0;
-+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
-+ /* Ignore unknown algorithms if ignore_unknown */
-+ return ignore_unknown;
-+ }
} else {
*p = 0;
- p++;
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
return 0;
get_sigorhash(&sig_alg, &hash_alg, etmp);
@@ -209,7 +209,7 @@ index 056aae3863..fe680449c5 100644
}
return 1;
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
- sig.sigalgcnt = 0;
+ }
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
return 0;
+ if (sig.sigalgcnt == 0) {
diff --git a/0118-no-crl-memleak.patch b/0118-no-crl-memleak.patch
deleted file mode 100644
index ee7e745..0000000
--- a/0118-no-crl-memleak.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Tue, 27 Feb 2024 15:22:58 +0100
-Subject: [PATCH 48/49] 0118-no-crl-memleak.patch
-
-Patch-name: 0118-no-crl-memleak.patch
-Patch-id: 118
-Patch-status: |
- # https://github.com/openssl/openssl/issues/23770
----
- crypto/x509/by_file.c | 2 ++
- test/recipes/60-test_x509_load_cert_file.t | 3 ++-
- test/x509_load_cert_file_test.c | 8 +++++++-
- 3 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
-index 5073c137a2..85923804ac 100644
---- a/crypto/x509/by_file.c
-+++ b/crypto/x509/by_file.c
-@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
- goto err;
- }
- count++;
-+ X509_CRL_free(x);
-+ x = NULL;
- }
- } else if (type == X509_FILETYPE_ASN1) {
- x = d2i_X509_CRL_bio(in, NULL);
-diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t
-index 75aeac362c..e329d7675c 100644
---- a/test/recipes/60-test_x509_load_cert_file.t
-+++ b/test/recipes/60-test_x509_load_cert_file.t
-@@ -12,4 +12,5 @@ setup("test_load_cert_file");
-
- plan tests => 1;
-
--ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")])));
-+ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"),
-+ srctop_file("test", "certs", "cyrillic_crl.pem")])));
-diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c
-index 4a736071ae..c07d329915 100644
---- a/test/x509_load_cert_file_test.c
-+++ b/test/x509_load_cert_file_test.c
-@@ -12,6 +12,7 @@
- #include "testutil.h"
-
- static const char *chain;
-+static const char *crl;
-
- static int test_load_cert_file(void)
- {
-@@ -27,12 +28,15 @@ static int test_load_cert_file(void)
- && TEST_int_eq(sk_X509_num(certs), 4))
- ret = 1;
-
-+ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)))
-+ ret = 0;
-+
- OSSL_STACK_OF_X509_free(certs);
- X509_STORE_free(store);
- return ret;
- }
-
--OPT_TEST_DECLARE_USAGE("cert.pem...\n")
-+OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n")
-
- int setup_tests(void)
- {
-@@ -45,6 +49,8 @@ int setup_tests(void)
- if (chain == NULL)
- return 0;
-
-+ crl = test_get_argument(1);
-+
- ADD_TEST(test_load_cert_file);
- return 1;
- }
---
-2.44.0
-
diff --git a/0119-provider-sigalgs-in-signaturealgorithms-conf.patch b/0119-provider-sigalgs-in-signaturealgorithms-conf.patch
deleted file mode 100644
index c363223..0000000
--- a/0119-provider-sigalgs-in-signaturealgorithms-conf.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <dbelyavs@redhat.com>
-Date: Fri, 8 Mar 2024 11:18:12 +0100
-Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
-
-Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
-Patch-id: 119
-Patch-status: |
- # https://github.com/openssl/openssl/issues/22779
----
- ssl/s3_lib.c | 8 ++++----
- ssl/ssl_lib.c | 2 +-
- ssl/ssl_local.h | 2 +-
- ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++-----------
- 4 files changed, 40 insertions(+), 17 deletions(-)
-
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index e8ec98c221..48a1aa0e61 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
- return tls1_set_sigalgs(sc->cert, parg, larg, 0);
-
- case SSL_CTRL_SET_SIGALGS_LIST:
-- return tls1_set_sigalgs_list(sc->cert, parg, 0);
-+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0);
-
- case SSL_CTRL_SET_CLIENT_SIGALGS:
- return tls1_set_sigalgs(sc->cert, parg, larg, 1);
-
- case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
-- return tls1_set_sigalgs_list(sc->cert, parg, 1);
-+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1);
-
- case SSL_CTRL_GET_CLIENT_CERT_TYPES:
- {
-@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
- return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
-
- case SSL_CTRL_SET_SIGALGS_LIST:
-- return tls1_set_sigalgs_list(ctx->cert, parg, 0);
-+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0);
-
- case SSL_CTRL_SET_CLIENT_SIGALGS:
- return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
-
- case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
-- return tls1_set_sigalgs_list(ctx->cert, parg, 1);
-+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1);
-
- case SSL_CTRL_SET_CLIENT_CERT_TYPES:
- return ssl3_set_req_cert_type(ctx->cert, parg, larg);
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 1329841aaf..4d95ab71cd 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
- return tls1_set_groups_list(ctx, NULL, NULL, parg);
- case SSL_CTRL_SET_SIGALGS_LIST:
- case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
-- return tls1_set_sigalgs_list(NULL, parg, 0);
-+ return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
- default:
- return 0;
- }
-diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
-index 0d3acfbe66..a73b2c4770 100644
---- a/ssl/ssl_local.h
-+++ b/ssl/ssl_local.h
-@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s);
-
- void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op);
-
--__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
-+__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client);
- __owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
- int client);
- __owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen,
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index fe680449c5..87f2ae7000 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx)
-
- /* now populate ctx->ssl_cert_info */
- if (ctx->sigalg_list_len > 0) {
-+ OPENSSL_free(ctx->ssl_cert_info);
- ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len);
- if (ctx->ssl_cert_info == NULL)
- return 0;
-@@ -2889,6 +2890,7 @@ typedef struct {
- size_t sigalgcnt;
- /* TLSEXT_SIGALG_XXX values */
- uint16_t sigalgs[TLS_MAX_SIGALGCNT];
-+ SSL_CTX *ctx;
- } sig_cb_st;
-
- static void get_sigorhash(int *psig, int *phash, const char *str)
-@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str)
- static int sig_cb(const char *elem, int len, void *arg)
- {
- sig_cb_st *sarg = arg;
-- size_t i;
-+ size_t i = 0;
-+ int load_success = 0;
- const SIGALG_LOOKUP *s;
- char etmp[TLS_MAX_SIGSTRING_LEN], *p;
- int sig_alg = NID_undef, hash_alg = NID_undef;
-@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg)
- * in the table.
- */
- if (p == NULL) {
-- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
-- i++, s++) {
-- if (s->name != NULL && strcmp(etmp, s->name) == 0) {
-- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
-- break;
-- }
-+ /* Load provider sigalgs */
-+ if (sarg->ctx) {
-+ load_success = ssl_load_sigalgs(sarg->ctx);
- }
-- if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
-- /* Ignore unknown algorithms if ignore_unknown */
-- return ignore_unknown;
-+ if (load_success) {
-+ /* Check if a provider supports the sigalg */
-+ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) {
-+ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL
-+ && strcmp(etmp,
-+ sarg->ctx->sigalg_list[i].sigalg_name) == 0) {
-+ sarg->sigalgs[sarg->sigalgcnt++] =
-+ sarg->ctx->sigalg_list[i].code_point;
-+ break;
-+ }
-+ }
- }
-+ /* Check the built-in sigalgs */
-+ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) {
-+ for (i = 0, s = sigalg_lookup_tbl;
-+ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) {
-+ if (s->name != NULL && strcmp(etmp, s->name) == 0) {
-+ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
-+ break;
-+ }
-+ }
-+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
-+ /* Ignore unknown algorithms if ignore_unknown */
-+ return ignore_unknown;
-+ }
-+ }
- } else {
- *p = 0;
- p++;
-@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg)
- * Set supported signature algorithms based on a colon separated list of the
- * form sig+hash e.g. RSA+SHA512:DSA+SHA512
- */
--int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
-+int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
- {
- sig_cb_st sig;
- sig.sigalgcnt = 0;
-+ sig.ctx = ctx;
- if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
- return 0;
- if (sig.sigalgcnt == 0) {
---
-2.44.0
-
diff --git a/openssl.spec b/openssl.spec
index fada88f..1055099 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 3.2.1
-Release: 10%{?dist}
+Version: 3.2.2
+Release: 1%{?dist}
Epoch: 1
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
@@ -115,7 +115,7 @@ Patch76: 0076-FIPS-140-3-DRBG.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
Patch77: 0077-FIPS-140-3-zeroization.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
-Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
+Patch78: 0078-KDF-Add-FIPS-indicators.patch
# We believe that some changes present in CentOS are not necessary
# because ustream has a check for FIPS version
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
@@ -149,10 +149,6 @@ Patch115: 0115-skip-quic-pairwise.patch
Patch116: 0116-version-aliasing.patch
# https://github.com/openssl/openssl/issues/23050
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
-# https://github.com/openssl/openssl/issues/23770
-Patch118: 0118-no-crl-memleak.patch
-# https://github.com/openssl/openssl/issues/22779
-Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
# https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
Patch120: 0120-Allow-disabling-of-SHA1-signatures.patch
# From CentOS 9
@@ -509,6 +505,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
+* Thu Jun 06 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-1
+- Rebase to 3.2.2
+
* Wed Jun 05 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 1:3.2.1-10
- Do not require openssl-fips-provider on ELN
diff --git a/sources b/sources
index 21d66d1..6d3dc96 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.2.1.tar.gz) = 29ea75964f78ef5bbe5783ed60d32917408ae4cb7d4aecdbbf2280bfdbc260c7cbabbc03bd179fc994fbee85cebc7213eeb5bfcde5c22db5e83edf2cebe7113f
+SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d
reply other threads:[~2026-06-09 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100912134.1.9144499299873974688.rpms-openssl-892d8e1abb3c@fedoraproject.org \
--to=dbelyavs@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox